On 12 July 2002 the EU agreed fundamental changes of the 1997
EC Directive on privacy and telecommunications preventing the
erasure of data and allowing member states to introduce new laws
requiring communications providers to keep traffic data and make
it accessible to the law enforcement agencies).

A draft, binding, EU Framework Decision prepared by the Belgian
government (and backed by the UK) has temporarily been put on
the shelf due to widespread criticism. But a secret document
shows that at the national level nine out of 15 member states
have, or are planning to, introduce mandatory data retention
(only two member states appear to be resisting this move). In
due course it can be expected that a "harmonising"
EU measure will follow.

Terrorism pretext for mandatory data retention

Mandatory data retention had been demanded by EU law enforcement
agencies and discussed in the EU working parties and international
fora for several years prior to 11 September 2000. On 20 September
2001 the EU Justice and Home Affairs Council put it to the top
of the agenda as one of the measures to combat terrorism. But
now, over 16 months later, it is nowhere near being in operation
in most EU states.

So the question has to be asked: does this mean that all telecommunications
have not been under surveillance since 11 September? Of course
they have, not by the law enforcement agencies but by the security
and intelligence agencies. The National Security Agency (USA)
and the Government Communications Headquarters (GCHQ, UK) have
been surveilling global communications since 1947 (UKUSA agreement).
During the Cold War this was for military and political purposes,
later through the new Echelon system political and economic intelligence
was targeted. Echelon, NSA and GCHQ were already moving to cover
terrorism (and associated serious crime) before 11 September
- after it became a new priority. But even then, for example,
with the new, huge, NSA online storage system (Petraplex) designed
to hold all the world's communications for 90 days, this is almost
useless unless the agencies know (through gathering human intelligence
on the ground, HUMINT) what to look for.

The EU's law enforcement agencies demand for data retention,
now backed by their governments, has little or nothing to do
with terrorism but rather is primarily to deal with crime and
internal threats posed by public order, refugees and asylum-seekers,
and migrant communities. Analysis
Following the fundamental changes to the 1997 EC Directive on
privacy in the telecommunications sector formally adopted on
12 July 2002 the door was open for new measures to require data
to be retained at national and EU levels (see Statewatch, vol
12 no 3/4).

Two key privacy protections were removed. The first of which
said that data could only be held for the purposes of billing
(ie: for the customer to check the details), usually only for
a few weeks. The second allows member states to adopt national
laws to require communications providers to retain data for a
specified period so that law enforcement agencies can get access
to it.

"Under the table", out of public view, was a binding
Framework Decision drafted by the Belgian government which would
have made data retention mandatory in all EU states (and all
applicant states) and rules for the exchanges of data between
states/agencies (see Statewatch, vol 12 no 3/4 for details).
Statewatch was leaked a copy of the draft Framework Decision
and when it was published, with much critical commentary, the
Danish Presidency of the Council of the European Union claimed
to know nothing about it.

However, a set of non-binding draft Conclusions, prepared by
the Danish EU Presidency, said:

"within the very near future, binding rules should
be established on the approximation of Member States' rules
on the approximation of Member States' rules on the obligation
of telecommunications service providers to keep information concerning
telecommunications in order to ensure that such information is
available when it is of significance for criminal investigations"
(Conclusion 9, doc no 10358/02, 24.6.02, emphasis added).

Five further drafts were produced prior to the adoption of the
Conclusions at the Justice and Home Affairs Council on 19 December
2002. The first, on 3 October, said that two delegations
were not in favour of the draft document and five had scrutiny
reservations - this was to rise to nine by the time of the next
draft on 23 October. The disagreement centred on the issue of
data retention in Conclusion 7 (the renumbered no 9 in the adopted
text).

The 3 October version said "binding rules should be established
on.. retain[ing] traffic data". By 23 October the word "binding"
had disappeared, and now a "dialogue" leading to "rules..
should be established and implemented". The draft of 22
November 2002 was firmer, saying that there should be: "as
a matter of priority, the necessity of establishing and implementing
binding rules.. to retain specific traffic data". But the
version of 28 November (which became the final version) said
that:

"before adopting rules.. to retain specific traffic data..
a dialogue between interested parties should take place.. [and
that] If it is found necessary to establish such rules, they
should at any rate ensure that such traffic data is available"

So, on the face of it mandatory data retention across the
EU would appear to be on hold for the moment. Indeed, no other
EU government wants to pick up and formally put forward the Belgian
government's draft binding Framework Decision - it thus remains
"under the table".

This lack of decisive action is all the more surprising as Conclusion
4 of the specially-called meeting of the Justice and Home Affairs
Council on 20 September 2001 (and the Bush letter of 16 October
2001) called for measures to be brought forward urgently.

The true picture is more complex. First, the law enforcement
agencies already have the power in every EU state to place under
surveillance named, specific individuals or organisations (the
procedure varies from state to state but has been in place for
years). Investigations into suspected terrorists are thus ongoing
and unhindered. Second, a majority of EU member states have,
or are in the process of, adopting national laws on mandatory
data retention (see below). Third, the costs imposed on communications
providers is unresolved. Fourth, in some countries there is,
in addition to privacy considerations, a perceived conflict between
new surveillance powers to combat terrorism being extended to
crime in general. Fifth, the widely reported adverse critiques
on sweeping changes, by civil liberties groups and civil society,
has embarrassed some governments - can democracy be defended
by undermining it? Finally, the agencies mainly involved in tackling
terrorism (as distinct from crime) - the security and intelligence
agencies - have virtually unfettered powers of surveillance in
many EU states.

EU survey on current laws and on the introduction of mandatory
data retention at national level

Mandatory data retention has primarily demanded by the law enforcement
community (police, criminal investigation, immigration, customs
etc) from well prior to 11 September 2001.

On 14 August 2002 the Danish Presidency sent out a questionnaire
on data retention to member states. The initial results of the
survey were presented to the EU's Multidisciplinary Group on
Organised Crime in a Room document (no 7) at its meeting on 16
September 2002 and the final document covering all member states
(14107/02) was circulated to the same working group on 20 November
2002.

Statewatch applied to the Council of the European Union
for a copy of Room document no 7 discussed on 16
September, But on 3 December 2002 the Council wrote to Statewatch
refusing access. The reasons given were as follow:

"Room document 7 relates to the state of play on retention
of traffic data. It refers to problems law enforcement authorities
have encountered in this field and highlights the weaknesses
and vulnerabilities of the Member States' law enforcement systems
on this topic.

This information would be useful for criminals who want to exploit
those weak spots in order to pursue their activities in these
Member States and other countries of the European Union. This
would undermine the protection of the public interest as regards
public security. Furthermore, parts of this information were
provided on a confidential basis by the law enforcement authorities
themselves on the condition that the results would be used only
for communication between Member States. Disclosure of this information
would be a breach to their trust and could make them reluctant
to provide more of such information in future. Access to these
documents is therefore denied pursuant to article 4(1)(a) of
the Regulation (public security)."

Statewatch has appealed against the refusal of access.

However, both documents (16 September and 20 November 2002) are
now in the public domain. What they show is that the information
provided is a description of the present state of the law on
telecommunications surveillance in each EU state and the plans,
if any, to amend the legal framework.

An analysis of the answers to the questionnaire give the following
picture:

Austria
The existing law is under Section 93 of the Law on Telecommunications
(TKG) plus the Surveillance Regulation (UVO) which establishes
and obligation to cooperate on service providers. A new Law on
Communications is being drafted and: "Consideration is being
given to the inclusion in the draft of a rule obliging providers
to retain exchange data for a given period for prosecution purposes".

On the proposal that there should be an EU instrument on data
retention: "The Austrian Ministry of Justice and the Austrian
Ministry of the Interior would welcome a binding rule (possibly
in the form of a framework decision)." (The Federal Chancellory,
responsible for data protection, is "sceptical").

Belgium
Belgium has adopted a new law, the Computer Crime Act (28.11.00)
[Loi sur la criminalite informatique] which "has settled
the principle of compulsory data retention" for a minimum
of 12 months.

On the proposal that there should be an EU instrument on data
retention: "it is essential to have common policies.. the
EU instrument could be a framework decision". It is important
to show that "the orientation of EU criminal law is not
only repressive [by introducing safeguards] which is unfortunately
more and more argued among the civil society".

Denmark
The Danish Administration of Justice Act was amended by Act No
378 of 6 June 2002 (the Anti-Terrorism Act of the Ministry of
Justice). Section 786 has been amended so that communications
providers have to retain data for 12 months.

On the proposal that there should be an EU instrument on data
retention: The Ministry of Justice "supports" the "solution
of creating an instrument on traffic data retention for law enforcement
purposes.. at a European level".

Finland
The main legislation is the Finnish Data Protection Law. Under
the Decree on the Protection of Privacy and Data Security in
Telecommunications operators are obliged to keep traffic data
for at least three months for billing purposes.

The police and Ministry of the Interior considers that the appropriate
and effectice time for operators to keep traffic data (including
connection information, "logs") should be 2 years.
This should be taken into account when updating the Privacy Protection
Act.

On the proposal that there should be an EU instrument on data
retention: "it is hard to judge how it should be handled
at the European level".

France
Article 29 of the Law on Everyday Security of 15 November 2001
makes mandatory the retention of data "for the purpose of
investigating, establishing and prosecuting offences" for
up to one year.

On the proposal that there should be an EU instrument on data
retention: "Data retention for the purposes of public security
is explicitly authorised by Article 15 of Directive 58/2002/EC,
dergoating from the general principle of erasure.. This new Directive..
marks a further step in dealing with this matter".

Germany
Two laws cover this issue, the law on teleservices (TDG) and
the law on telecommunications (TKG). Under section 89, para 2.,
of the TKG and section 7 of the Regulation (TDSV) and section
6 of the teleservices data
protection law data may only be retained (for up to six months)
for billing purposes.

The Federal Constitutional Court has laid down "restrictive
conditions for the retention of personal data for purposes other
than for the original purpose of processing for official requirements
or for the purpose of concluding a contract". Moreover,
on economic grounds and for reasons of data protection,
the associations and service providers tend to be critical of
any obigation to retain traffic data. Exceptionally, there
is an obligation in Germany for those who are the subject
of the [surveillance] order to be notified that data is being
disclosed.

On the proposal that there should be an EU instrument on data
retention: The need has to be shown for this. The government
thus first has to consider whether it is "actually necessary"
and second whether it is "permissible pursuant to the German
constitutional law".

Greece
The current law on the protection of personal data in the telecommunications
sector is covered by Law No 2774/1999 compliant with the 1997
EC Directive. That is, data may be kept for billing purposes
and access to data by law enforcement agencies can only be made
for "specific cases and not on an absract, general or preventive
basis".

However, for the present, the tendency in Greece is to
retain data for one year.

On the proposal that there should be an EU instrument on data
retention: "Greece considers the creation of such a legal
tool to be important, useful and essential".

Ireland
Directions were issued by the Minister for Public Eneterprise
in April 2002, under the Postal and
Telecommunications Services Act 1983, to require operators "to
retain existing traffic data and future traffic data for not
less than 3 years". Primary legislation is being prepared
to require operators to retain data.

On the proposal that there should be an EU instrument on data
retention: an amendment should be made at EU level "to ensure
that law enforcement agencies access to call related data is
in accordance with national legislation".

Italy
Under law no 171 of 13/5/1998 the retention of data is not allowed
except for billing purposes. However, the law is being reviewed
as "this lack of precious information in support of criminal
investigations could pose serious obstacles".

The Italian submission notes that: as a general principle,
the longer that traffic data is retained the better it is.

On the proposal that there should be an EU instrument on data
retention: "international cooperation in this matter is
always welcome", an instrument should also cover the exchange
of data between countries.

Luxembourg
A new law is being drafted to incorporate the changes made to
the EC Directive on privacy in telecommuncations as regards data
retention.

On the proposal that there should be an EU instrument on data
retention: "Harmonisation of procedures at European level
is always appropriate".

Netherlands
Article 13.4 (2) of the Telecommunications Law requires the retention
of "certain sets of data" (traffic data) for three
months.

On the proposal that there should be an EU instrument on data
retention: the Netherlands is conducting a review and says there
should be a legal instrument under Title VI of the TEU (ie: a
Framework Decision).

Portugal
The current Law 69/98 of 28 October 1998 says data must be erased
when it was served the purposes for billing. However, there is
an intention to "transpose" the new, amended EC Directive
(12 July 2002) into national legislation.

On the proposal that there should be an EU instrument on data
retention: "We feel that such a measure would be of great
importance".

Spain
Article 12.1 of the Information Society and Electronic Services
Law (Law 34/2002 of 11 July) is an amendment in line with the
major changes to the 1997 EC Directive on 12 July 2002 which
says "connection and traffic data" must be retained
for 12 months.

On the proposal that there should be an EU instrument on data
retention: Spain "very highly" backs such a proposal.

Sweden
A government committee has considered the implications of the
amended 1997 EC Directive and has made no suggestion that data
retention should be mandatory. The issue is however "the
subject of discussions".

On the proposal that there should be an EU instrument on data
retention: "it is difficult to see how cooperation could
be successful if the rules on traffic data retention seriously
diverge among its signatories" - in other words they would
support such a proposal.

UK
The position in the UK (as outlined above) is that data retention
is included in the Anti-Terrorism, Crime and Security Act 2001
but only in relation to purposes directly or indirectly connected
with national security.

On the proposal that there should be an EU instrument on data
retention: not surprsingly the UK says, "To resolve these
issues on a European basis would be very useful".

Conclusion
On the basis of this survey it can be broadly concluded that
at this stage:

1. Nine of the 15 EU states have or intend to introduce an obligation
for the retention of data, two member states have no plans and
four are unclear.

2. The norm for the period of data retention would appear to
be 12 months, although Ireland is way out ahead with 3 years.

3. Ten of the 15 EU states would support a EU measure, only two
are against this and three are unclear.